Dear Mailinglist ! On our SuSE 7.2-Webserver has IPCHAINS and SuSEfirewall run. Today I've updated from Kernel 2.2 to 2.4 and replaced IPCHAINS with IPTABLES and SuSEfirewall with SuSEfirwall2. All run very well, but one problem remains. With the old configurations, the Users inside my LAN (IP: 192.168.0.x) were able to connect the server (IP: 192.168.0.100 internal, IP:196.123.22.100 external) directly without a proxy or anything else. With the upgrade this is not possible anymore, but i don't want to change anything on the workstations. Do you have any idea, how the Users inside can reach 196.123.22.100 directy. I've tried it with masquerading, but it doesn't work. Thanx in advance, Michael -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
Hi Michael, a first help for your problem may be watching # tail -f /var/log/firewall running on your webserver while trying to connect this thingie from inside your network. IF you run this machine within a DMZ within the same subnetted adress-range of the external NIC you might have been run into trouble with rp_filter. (I mentioned that, because this is a trap in a very common environment for webservers). Some antispoofing-deny messages in firewall-logs might give hints on that. I don't suppose that your problem is refered to any masquerading issue. Regards, Onkel Hilberto
On Thu, 30 May 2002 chemiegott@gmx.net wrote:
With the old configurations, the Users inside my LAN (IP: 192.168.0.x) were able to connect the server (IP: 192.168.0.100 internal, IP:196.123.22.100 external) directly without a proxy or anything else. With the upgrade this is not possible anymore, but i don't want to change anything on the workstations.
Do you have any idea, how the Users inside can reach 196.123.22.100 directy. I've tried it with masquerading, but it doesn't work.
I noticed the same thing when I upgraded my server. Therefore, I'm guessing you use your webserver as firewall/gateway as well. If not, this might be completely wrong... :-) Note that this is just a suggestion, and it might need to be tweaked a little depending on your level of trust for your users. I trust myself, and thus doesn't need to worry about malicious users... SuSEfirewall, at least the version shipped with 7.3, doesn't provide access to your outer interface from the inside out-of-the-box, nor does it have configuration options to solve this. Therefore, you either need to play with the different hooks in the firewall-custom.rc.config file or cheat (as I did). iptables -I INPUT 1 -j ACCEPT -p all -i <int.if> -d <ext.ip> -s <int.net> does the trick. You may not want to be quite as generous, I suppose. It's a starting point, at least. /Johan
Thanx for all your answers ! The fact was really, that SuSEfirewall2 doesn't allow Users with an internal IP to access a webserver (in fact the firewall runs on this webserver....sadly!) on the external device, though the webserver have two devices and one has an internal IP. The cause for this were the antispoofing-mechanism in SuSEfirewall2. With all your help i've solve the problem. Thanx a lot. Michel ;-) -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
participants (3)
-
chemiegott@gmx.net -
Hilbert.Steinbach@t-online.de -
Johan Stäring